Making an application work with SELinux
When you add a new service to an SELinux-enabled server, it may fail to work due to the local Linux policy.
This document describes how to add the necessary rules to the local policy to allow the service to work.
The example used is getting MySQL clustering to work on a FC4 server.Pre-requisites
In order to modify the SELinux policy, you'll need to install the SElinux policy sources. On FC$, this means installing the selinux-policy-targeted-sources rpm:
# yum install selinux-policy-targeted-sourcesFind out what rules are required
To determine the rules you need to add to your local SELinux policy, first startup your application - don't worry if it fails to start.
Now use the audit2allow tool to analyse the audit log and find out what SELinux policies are blocking your application from working:
# audit2allow -i /var/log/audit/audit.log -l allow mysqld_t port_t:tcp_socket name_connect; allow mysqld_t var_lib_t:file append; allow mysqld_t var_lib_t:sock_file create;
Add these llines to /etc/selinux/targeted/src/policy/domains/misc/local.te, then make and activate the new policy:
# cd /etc/selinux/targeted/src/policy/ # make load
Now re-start your application.
Use audit2allow again to check whether all the rules were captured first time round. If not, repeat the process until no audit2allow produces no output.
See SELinux rules required for MySQL clustering for the full list of SELinux rules required for clustering to work on FC4.